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Abstract 

A quantum computer can efficiently find the order of an element in 
a group, factors of composite integers, discrete logarithms, stabilisers in 
Abelian groups, and hidden or unknown subgroups of Abelian groups. It 
is already known how to phrase the first four problems as the estimation 
of eigenvalues of certain unitary operators. Here we show how the so- 
lution to the more general Abelian hidden subgroup problem can also be 
described and analysed as such. We then point out how certain instances 
of these problems can be solved with only one control qubit, or flying 
qubits, instead of entire registers of control qubits. 

1 Introduction 

Shor's approach to factoring pbj , (by finding the order of elements in the multi- 
plicative group of integers mod N, referred to as Z*^) is to extract the period in 
a superposition by applying a Fourier transform. Another approach, based on 
Kitaev's technique jKj|, is to estimate an eigenvalue of a certain unitary opera- 
tor. The difference between the two analyses is that the first one considers (or 
even 'measures' or 'observes') the target or output register in the standard com- 
putational basis, while the analysis we detail here considers the target register 
in a basis containing eigenvectors of unitary operators related to the function 



/. The actual network of quantum gates, as highlighted in [CEMM], is the 
same for both algorithms; it is helpful to understand both approaches. In some 
cases, which we discuss in Sect. ^, this approach suggests implementations 
which do not require a register of control qubits. A more general formulation 
of the order-finding problem as well as the discrete logarithm problem, and the 
Abelian stabiliser problem, is the hidden subgroup problem (or the unknown sub- 



group problem [H0]). In the case that G is presented as the product of a finite 



number of cyclic groups (so G is finitely generated and Abelian), all of these 
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f=hg 




Figure 1: The function / can be viewed as the composition of a homomorphism 
g to a group H, and some 1-to-l mapping h to the set X. Our hidden subgroup 
K will be the kernel of g, and H is isomorphic to G/K. 



problems are solved by the familiar sequence of a Fourier transform, a function 
application, and an inverse Fourier transform. In this paper we describe how 
this more general problem can also be viewed and analysed as an estimation of 
eigenvalues of unitary operators. 



2 The Hidden Subgroup Problem 

Let / be a function from a finitely generated group G to a finite set X such 
that / is constant on the cosets of a subgroup K (of finite index, since X is 
finite), and distinct on each coset. The hidden subgroup problem is to find 
K (that is, a generating set for K), given a way of computing /. When K is 
normal in G, we could in fact decompose / as ho g, where g is a homomorphism 
from G to some finite group H , and h is some 1-to-l mapping from H to the 
set X. In this case, K corresponds to the kernel of g and H is isomorphic to 
G/K. We will occasionally refer to this decomposition, which we illustrate in 
Fig. |]. Define the input size, n, to be of order log 2 [G : K]. We will count 
the number of operations, or the running time, in terms of n. An algorithm 
is considered efficient if its running time is polynomial in the input size. By 
elementary quantum operations, we are referring to a finite set of quantum logic 
gates which allow us to approximate any unitary operation. See [ BBCDMSSSW | 
for a discussion and further references. Our running times will always refer to 
expected running times, unless explicitly stated otherwise. By expected running 
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time we are referring to the expected number of operations for any input (and 
not just an average of the expected running times over all inputs). 

We should be clear about what it means to have a finitely generated group 
G, and to be able to compute the function /. This is difficult without losing 
some generality or being dry and technical, or both. The algorithms we de- 
scribe only apply for groups G which are represented as finite tuples of integers 
corresponding to the direct product of cyclic groups (consequently, G is finitely 
generated and Abelian). Conversely, for any finitely generated Abelian G, there 
is a temptation to point out that G is isomorphic to such a direct product of 
cyclic groups, and assume that we can easily access this product structure. This 
is not always the case, even in cases of practical interest. For example, Z^,, the 
multiplicative group of integers modulo N for some large integer N, which is 
Abelian of order <j)(N) (the Euler </>-function) and thus isomorphic to a product 
of cyclic groups of prime power order. We will not necessarily know cj>(N) or 
have a factorisation of it along with a set of generators for 7>* N . However, in 
light of the quantum algorithms described in this paper, we could efficiently 
find such an isomorphism, thereby increasing the number of finitely generated 
Abelian groups which can be efficiently expressed in a manner which allows us 
to employ these algorithms. We will however leave further discussion of these 



details to another note [EMj. When we talk about computing /, we assume 
that we have some unitary operation Uf which takes us from state | x) | 0) to 
| x) | /(x)). It could, for example, take | x) | y) to | x) | y + /(x)), where + de- 
notes an appropriate group operation, such as addition modulo N when the 
second register is used to represent the integers modulo N. 

Various cases of the hidden subgroup problem are described in [3h|, 



Uf, fBl}, fGr|, @, jCEMMfl , and @. We note that |3Lj also covers the 



case that / is not necessarily distinct on each coset (that is, h is not 1-to-l) 
and this is discussed in the appendix. Finding the order r of an element in a 
group H of unknown size, or the period r of a function /, is a special case where 
G = Z and K — rZ. For any generator ej of a finitely generated G, we can 



use the algorithm in Sect. 4.2 to find an integer k such that f(kej) — /(0), 
so that ke- } € K . We find this k with 0(n) applications of / and 0(n 2 ) other 
elementary quantum operations. We can then assume that ej is of order k (that 
is, factor (fcej) out of G), and in general assume that G is a finite group. 
We give a few examples. 

Deutsch's Problem: Consider a function / mapping Z2 = {0, 1} to {0, 1}. 
Then f(x) = f(y) if and only if x — y € K , where where K is either {0} or 
Z2 = {0, 1}. If K is {0}, then / is 1 — to — 1 (or balanced), and if K is Z2 then 
/ is constant. @ JCEMM ] 



Simon's Problem: Consider a function / from Z2* to some set X with 
the property that f(x) — f{y) if and only if x — y € {0, s} for some string s of 
length I. Here K = {0,s} is the hidden subgroup of Z2*. Simon (Si) presents 
an efficient algorithm for solving this problem, and the solution to the hidden 
subgroup problem in the Abelian case is a generalisation. 
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Discrete Logarithms: Let G be the group Z r x Z r where Z r is the additive 
group of integers modulo r. Let the set X be the subgroup generated by some 
element a of a group H, with a r = 1. For example, H = F*, the multiplicative 
group of the field of order g, where r = q — 1. Let a,b £ G, and suppose 
6 = a m . Define / to map (a;, y) to et a: 6 1 '. Here the hidden subgroup of G 
is K = {(k, — km)\k = 0,1, . . . ,r — 1} = ((1,— m)), the subgroup generated 
by (1,— to). Finding this hidden subgroup will give us the logarithm of b to 
the base a. The security of the U.S. Digital Signature Algorithm is based on 



the computational difficulty of this problem in F* (sec [ |MOV| for details and 
references). Here the input size is n = |~log 2 r~\ . Shor's algorithm [3h| was the 
first to solve this problem efficiently. In this case, / is also a homomorphism 
which can make implementations more simple as described in Sect. 0. 

Self-Shift-Equivalent Polynomials: Given a polynomial P in I variables 
X\, X2, ■ ■ ■ , Xi over F g , the function / which maps (ai, a^, ■ ■ . , a{) £ F l q to 
P(X\ — ai,X2 — 0,2, ■ ■ ■ , Xi — ai) is constant on cosets of a subgroup K of 
F l q . This subgroup K is the set of self-shift-equivalences of the polynomial P. 



Grigoriev Gi] shows how to compute this subgroup. He also shows, in the case 
that q has characteristic 2, how to decide if two polynomials P\ and P2 are 
shift-equivalent, and to generate the set of elements (01,02, . . . ,a{) such that 
P\{X\ — a\, X2 — 0,2, ■ ■ ■ , Xi — ai) = Pi{Xx, X%, . . . , X{). The input size n is at 
most I log 2 q. 

Abelian Stabiliser Problem: Let G be any group acting on a finite set 
X. That is, each element of G acts as a map from X to X, in such a way that 
for any two elements a,b £ G, a(b(x)) = (ab)(x) for all x £ X . For a particular 
element x of X, the set of elements which fix x (that is, the elements a £ G 
such that a(x) = x), form a subgroup. This subgroup is called the stabiliser of 
x in G, denoted Stc(x). Let f x denote the function from G to X which maps 
g £ G to g(x). The hidden subgroup corresponding to f x is K = Stgix). The 
finitely generated Abelian case of this problem was solved by Kitaev [JKJ, and 
includes finding orders and discrete logarithms as special cases. 

3 Phase Estimation and the Quantum Fourier 
Transform 

In this section, we review the relationship between phase estimation and the 



quantum Fourier transform which was highlighted in [CEMM] 



The quantum Fourier transform for the cyclic group of order N , Fn, maps 

JV-l 

'N 



— J2 e 2max ' N I x) 



x=0 
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So Fjy 1 maps 



N 

N-l 



1 y e 2, iax /N , ) , fl) 

v x— 

More generally, for any </>, < </> < 1, F^ 1 maps 

N-l 

J2 a ^\ x ) (!) 



JV 

^ iV-l N-l 



where the amplitudes a^ tX are concentrated near values of x such that x/N are 
good estimates of <j>. The closest estimate of <f> will have amplitude at least 4/tt 2 . 
The probability that x/N will be within A;/iV of 4> is at least 1 — l/(2fc— 1). See 



[CEMM| for details in the case that N is a power of 2; the same proof works for 
any N. Thus to estimate 4> such that, with probability at least 1 — e, the error 
is less than 1/M, we should use a control register containing values from to 
N — 1 and apply for any N > M(l/e + l)/2. For example, if we desire an 
error of at most 1/2" with probability at least 1 — l/2 m we could use N — 2 n+m . 
In practice, it will be best to use the N that corresponds to the group that is 
easiest to represent and work with in the particular physical realisation of the 
quantum computer at hand. We expect that this N will be a power of two. 

For convenience, we will omit normalising factors in the remainder of this 
paper. It will also be convenient to have a compact notation for the state on 
the right hand side of ([!]) which we consider to be a good estimator for \(j>). So 
let us refer to this state as \<p) N or just | </>) if the value of N is understood. 
Lastly, we will use exp(x) to denote e x . 



4 The Algorithm 

To restrict attention from finitely generated groups G to finite groups we need 
to know how to solve the cyclic case (just one generator), that is, to find the 
period of a function from Z to the set X. We will first describe how to find the 
order of an element a in a group H , or equivalently, the period of the function 



/ : t — ► a* , as Shor [ 3h | did for the group H = 7i* N , the multiplicative group of 
integers modulo N . We will then show how to generalise it to find the period of 
any function / : Z — > X. If / were a homomorphism (so h is an isomorphism of 
H, when / is decomposed as / = h o g), we would just be finding the order of 
/(l) in H . The difference is that we are showing how to deal with a non-trivial 
h which hides the homomorphism structure. The details will also help explain 
how to find hidden subgroups of finite Abelian groups. 

4.1 Finding Orders in Groups 

We have an element a from a group H and we wish to find the smallest positive 
integer r such that a r — 1. The group H is not necessarily Abelian; all that 
matters is that the subgroup generated by a is Abelian, and this is always true. 
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The idea is to create an operator U a which corresponds to multiplication by a (so 
it maps | y) to | ay)). Since a r = 1, then = /, the identity operator. Hence 
the eigenvalues of U a are rth roots of unity, exp(2nik / V) , fc = 0, 1, . . . , r — 1. By 
estimating a random eigenvalue of [7 a , with accuracy l/2r 2 , we can determine 
the fraction k jr. The denominator (with the fraction in lowest terms) will be a 
factor of r. We thus seek to estimate an eigenvalue of U a ; note that U r a = U a r. 

For any integer x define U a * to be the operator that maps | y) to \a x y). 
Define U a x to be the operator which maps | x) \ y) to | x) U a * \y) = \x)\ a x y). 
Note that U a x acts on two registers and x is a variable which takes on the value 
in the first register, while U a * acts on one register and x is fixed. Consider the 
eigenvectors 

r-1 

I = E exp(-27ri/ci/r) | a*) , k = 0, 1, . . . , r - 1, (2) 

of C/ a x and respective eigenvalues exp(27ri/ca;/r) . If we start with the superpo- 
sition 

El *>!**> 

and then apply U a x we get 

2'-l 

E exp(2irikx/r) \ x) \ . 

As discussed in the previous section, applying F^ 1 to the first register gives 
| fc/r) | <J/fc) and thus a good estimate of k/r. 

We will not typically have \^k) but we do know that | 1) — J2k=o \^k)- 
Therefore we can start with 

|0)|l) = |0)El*fc>=E|0>|*fc) (3) 

k=0 k=0 

and then apply F 2 i to the first register to produce 

r-1 /V-i \ 

E Ei*) i**>- w 

fe=0 \x=0 J 

We then apply U a x to get 

r-1 /2 ! -l \ 

E E ex p( 2iTikx / r ) i x ) i *fe) (5) 

fc=0 \x=0 J 

followed by F^ 1 on the control register to yield 

J2\kjr)\* k ). (6) 
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Observing the first register will give an estimate of k/r for an integer k 



chosen uniformly at random from the set {0, 1, .. .,r — 1}. As shown in [3h|, 
we choose / > 2 log 2 r, and use the continued fractions algorithm to find the 
fraction k/r. Of course, we do not know r, so we must either use an / we 
know will be larger than 21og 2 r, such as 21og 2 N in the case that H is 7,* N . 
(Alternatively, we could guess a lower bound for r, and if the algorithm fails, 
subsequently double the guess and repeat.) We then repeat O(l) times to find r. 
This algorithm thus uses O(l) exponentiations, or 0(n) group multiplications, 
and 0(n 2 ) elementary quantum operations to do the Fourier transforms. 

We can factor the integer N by finding orders of elements in 7i* N . This uses 
only 0(n 3 ) or exp(clogn) elementary quantum operations, for c = 3 + oil) (or 
c = 2 + o(l) if we use fast Fourier transform techniques). Other deterministic 
factoring methods will factor N in 0(y/~N) or exp(cn) steps, where c = 1/2 + 
o(l). The best known rigorous probabilistic classical algorithm (using index 
calculus methods) |LP| uses exp(c(nlogn) 1 / 2 ) elementary classical operations, 
c = 1 + o(l). There is also an algorithm with a heuristic expected running 
time of exp(c(n 1 / 3 (logn) 2//3 ) elementary classical operations (see [MOV| for an 



overview and references) for c = 1.902 + o(l). Thus, in terms of elementary 
operations, a quantum computer provides a drastic improvement over known 
classical methods to factor integers. 

4.2 Finding the Period of a Function 



The above algorithm, as pointed out in [BL|, can be applied to a more general 
setting. Replace the mapping from t to a 1 with any function / from the integers 
to some finite set X. Define to be an operator that maps f(y) to f(y + x). 

This is a generalisation of U a * except it does not matter how it is defined on 
values not in the range of /, as long as it is unitary. Define C//(x) to be an 
operator which maps | x) \ f(y)) to | x)U f(x) \ f{y)) =\x)\f(y + x)). 
The following are eigenvectors of Uf( x y. 

r-1 

| * fc ) = exp(-27rikt/r) | f(t)) , k = 0, 1, . . . , r - 1, (7) 
t=o 

with respective eigenvalues exp(27rifca;/r). As in (0), we can start with 

r-1 

I o>|/(o)) = £>>!**) 



k=0 



except with our new, more general, definition of |^fc). We apply i 7 ^" to the 
first register to produce (H), and then apply f//(x) to produce (||), followed by 
F^n to get (||). Observing the first register will give an estimate of k/r for an 
integer k chosen uniformly at random, and the same analysis as in the previous 
section applies to find r. 

One important issue is how to compute U /(x) only knowing how to compute 
/. Note that from (|I|) to (||) (using the modified definition of | ^fe)) we simply 



7 



go from 



to 



2™-l 2™-l /r-1 



a;=0 £c=0 \fe=0 



2"-l 2™-l /r-1 



E b) I /(*)) = E I E cxp(27rzxfc/r) | **) (9) 



2=0 x=0 \fe=0 



which could be accomplished by applying Uf, which we do have, to the starting 
state 



E i*>i°>- 



a:=0 



Thus even if we do not know how to explicitly compute the operators Uft x \, 
any operator Uf which computes the function / will give us the state (^). This 
state permits us to estimate an eigenvalue of Uf( x ) which lets us find the period 
of the function / with just O(l) applications of the operator Uf and 0(n 2 ) 
other elementary operations. The equality in ([)]) is the key to the equivalence 
between the two approaches to these quantum algorithms. On the left hand side 
is the original approach [3h|, [BL]) which considers the target register in 



the standard computational basis. We can analyse the Fourier transform of the 
preimages of these basis states, which is less easy when the Fourier transforms 
do not exactly correspond to the group G. On the right hand side of (^) we 
consider the target register in a basis containing the eigenve ctors of the unitary 
operators which we apply to it (as done in [Ki and | CEMM| , for example), and 



this gives us , from which it is easy to see and analyse the effect of the inverse 
Fourier transform even when it does not perfectly match the size of G. 



4.3 Finding Hidden Subgroups 

As discussed in Sect. |2|, any finite Abelian group G is the product of cyclic 
groups. In light of the order-finding algorithm, which also permits us to factor, 
we can assume that the group G is represented as a product of cyclic groups of 
prime power order. Further, for any product of two groups G p and G q whose 
orders are coprime, any subgroup K of G p x G q must be equal to K p x K q 
from some subgroups K p and K q of G p and G q respectively. We can therefore 
consider our function / separately on G p and G q and determine K p and K q 
separately. Thus we can further restrict ourselves to groups G of prime power 
order. This not only simplifies any analysis, it could reduce the size of quantum 
control registers necessary in any implementation of these algorithms. 

Let us thus assume that G = Z pmi x Z pm2 x • • • x Z p ™, for some prime p and 
positive integers mj < ni2 < • • • < m; = m. The 'promise' is that / is constant 
on cosets of a subgroup K, and distinct on each coset. The hidden subgroup 
K is {k = (fci, fc 2 , . . . , fc;)|/(x) = /(x + k) for all x 6 G). In practice, this 
will usually be a consequence of the nature of /, as in the case of discrete 
logarithms where f{x\ 1 X2) — a Xl b X2 , or whenever / is constructed as h o g for 
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some homomorphism g from G to some finite group H, and a 1-to-l mapping 
h from H to the set X. 

Let Uf be an operator which maps | x) | 0) to | x) |/(x)). Define ei = 
(1,0,..., 0), e 2 = (0, 1, 0, . . . , 0), and so on. Let us also consider an oper- 
ator related to Uf, t//( Xej ), which maps \x)\f(y)) to \ x) U f {xej) \ f (y)) = 
\ x ) \ f(y + xe j))- I n the case of Simon's Problem, the operator C//(x(o,i.o)) 
maps 1 1) |/(yi,2/2,2/3)) to 1 1) £//(o,i,o) I / (2/1, 2/2, 2/3))) = I 1) I f(vi, 2/2 + 1, J/3)) 
and does nothing to | 0) | /(j/i, 2/2, 2/3))- 

For each t = (£1, *2, • •-,£;)> ^ *j < P™' , satisfying 



^-^m-m,^. = o mod p m for aU h e K (10) 

3=1 



define 



1*0 = £ exp ( J^£p"^ aj j /,ai) . (Hi 

a6G/if \ P j=l 

We are summing over a set of representatives of the cosets of K modulo G, 
and by condition ( |Io| ) on t, this sum is well-defined. Let T denote the set of t 
satisfying ([To|), which corresponds to the group of characters of G/K. The | 4" t ) 
are eigenvectors of each C//( Ke .), with respective eigenvalues exp(27rzxi :) -/p" lj ') . 
By determining these eigenvalues, for j — 1, 2, . . . , I, we will determine t. If we 
had I ^t) in an auxiliary register, we could estimate tj/p nlj using U /(xej) by the 
technique of the previous section. If we use F~in s we would determine tj exactly, 
or we could use the simpler Fr k , for some k > log 2 (p mj ), and obtain tj with 
high probability. For simplicity, we will use F~^ j . In practice we could use F~ k x 
for a large enough k so that the probability of error is sufficiently small. 

By estimating tj/p m i for j = 1,2,..., I, we determine t. The algorithm 
starts by preparing I control registers in the state | 0) and one target or auxiliary 
register in the state | 'J't) , applies the appropriate Fourier transforms to produce 



(12) 



followed by J7/(xej) f° r 3 ' = 1, 2, ■ ■ ■ , n, using the jth register as the control and 
I ^t) as the target, to produce 

("E^xp^^m) • •• ( P E 1 exp(2^)|,^ |* t >. (13) 

Then apply F™' to the jth control register for each j to yield 

I *x> 1 *a> — I **> I (14) 
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from which we can extract t. As in the previous section, we do not know how 
to construct | ^t), but we do know that 

|/(0)) = El*t). 
teT 

So we start with 

I o> j o> - • - 1 o) |/(o)> = X>>|o>...|o>|*t) 

teT 

apply Fourier transforms to get 

\ / P m '-i \ 

E E i-o — E i««> i**) 

teT \ X!=0 ) \ 2j=0 J 

then apply C//(x ej ) using the jth register as a control register, for j 
and the last register as the target register to produce 



(15) 

= 1,2,. ..,71, 



E f E" ex P( 2 ™^)l^>) ■ flf «^(2^)l*i>) l*t>- (16) 
teT \ x 1= o 1 ) \ x l= 1 ) 

We finally apply F~ mj to the jth control register for j = 1,2, ... ,1, to produce 

Ei *)!**>• 

teT 

Observing the first register lets us sample the t's uniformly at random, and 
thus with 0(n) repetitions we will, by ([To|), have enough independent linear 
relations for us to determine a generating set for K . For example, in the case of 
Simon's problem, the 1 1) all satisfy t • s = X^=i tj s j m °d 2 = mod 2, where 
K = {0, s}. We could also guarantee that each new non-zero element of T will 
increase the span by a technique discussed in the appendix. 



This analysis of eigenvectors and eigenvalues is based on the work in Ki| 
The problem is that, unlike in |Ki|, we do not always have the operator Uf(xe 3 ) 



However, note that, like in Sect. [4.2], going from (ITa) to (16) maps 



to 



E i x >]i/(°)> 

\0<Xj<p m 3 

E i x >i/( x )> 

0<Xj<p m 3 



E f e"-p( 2 %£)m) ••• f E «p(2«^)i*i>) i*o 

teT \ x 1= o y ) \ x t =0 F / 
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We can create state ( |16[ ) by applying Uf 
state 

I x) I 



which we do have, to the starting 



E 

0<Xi<p" 



and proceeding with the remainder of the algorithm. As in Sect. 4.2, we are 
considering the target register in the basis containing the eigenvectors | ^k) 
instead of the computational basis. 



5 Reducing the Size of Control Registers 
5.1 Discrete Logarithms 

In practice, it might be advantageous to reduce the number of qubits required 
to solve a problem, or the length of time each qubit must be isolated from 
the environment. For example, suppose we wish to find m such that a" 1 = b, 
where the order of a divides r. The operators U a * and , which correspond to 
multiplication by a x and b x respectively, share the eigenvectors | ^k) (see (||)) 
and have corresponding eigenvalues exjp(2irikx/r) and exp(2nikmx / r) . We can 
assume we know r by applying the order-finding algorithm if necessary. By using 
U a x with one control register we can approximate k/r, and by using [/ h x with 
another control register we can approximate (km mod r)/r and then extract 
m modulo r/gcd(r, k). Note that since we know r, we only need logr bits of 
precision when estimating k/r and (km mod r) /r, instead of 2 log 2 r when using 
continued fractions. Note further that, knowing r, it may be possible to actually 
place | ^fc) into the target register (by direct construction or otherwise) for some 
known k, and thus only require one control register with over log 2 r qubits to 
estimate (km mod r) jr. One way of doing this is to keep the target register 
after we have applied the order-finding algorithm and observed an estimate of 
k/r in the control register. At this point, the target register is almost entirely 
in the state | and we could now just estimate the eigenvalue of on this 
eigenstate, which we know will be (km mod r)/r. 



5.2 One Control Bit 

Consider the case that we have an efficient computational means of mapping 
| f(y)) to | f(y + x)) for any x. If we consider / to be of the form h o g for a 
homomorphism g, we are requiring that h is the identity or some other function 
with enough structure that we can efficiently map h(g(y)) to h(g(y + x)) = 
h(g(y) + g(x)). In this case we can efficiently solve the hidden subgroup problem 



with only one control bit or a sequence of flying qubits | THLMK | . We illustrate 
this method for the problem of finding the order of an element a in a group H . 

Figure || shows the relationship between F^} and the controlled multipli- 
cations by powers of a in the order-finding algorithm. As already pointed out 



in | GIN], the measurements could be performed before the controlled rotations. 



The quantum controlled rotations could then be replaced with 'semi-classically' 
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|o) + |i>. 
|o) + |i>- 
|o) + |i}- 



H 



a 



a 



R 2 \H 



a 








\ 



Figure 2: We start with (| 0) + 1 1»(| 0) + 1 1))(| 0) + 1 1» | * fc ) = £l=o | x) | **). 
The controlled multiplications create the state Ylx—o exp(27ri/c/r) | x) \ The 
remaining gates create the state | k/r) (apart from reversing the order of the 
qubits) which we then observe. The -ff-gates correspond to Hadamard trans- 
forms, and the Rj -gates correspond to a controlled phase shift of exp(27re/2 J ) 
on state 1 1). 
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Figure 3: Here we employ a 'semi-classical' version of F~ 3 l . We could mea- 
sure each qubit before it is used as a control, perform the controlled rotations 
'semi-classically', and the probability of observing each possible output state 
I %i) | %2) | £3) is the same as in Fig. |2j. 
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controlled rotations of the subsequent qubits (that is, the control bit is measured 
and, if the outcome is 1, the rotation is done quantumly). This brings us to Fig. 
||, where we observe further that all the operations on the first qubit could be 
performed before we even prepare the second qubit. All the operations could 
be done sequentially, starting from the first qubit, the results of measuring the 
previous qubits determining how to prepare the next qubit before measurement. 
This means we could in fact do all the quantum controlled multiplications with 
a single control qubit provided we can execute the 'semi-classical' controls which 
allow us to reset a qubit to | 0) + 1 1) and perform a rotation dependent upon the 
previous measurements (the rotations could in fact be implemented at any time 
after resetting the qubit and before applying the final Hadamard transform and 
measuring it; they could also be omitted provided we repeat each step a few 
extra times and do some additional classical post-processing as done in ||k| ). 
Alternatively, the control qubits could be a sequence of flying qubits which are 
measured (or prepared) in a way dependent upon the outcomes of the previous 
measurements of control qubits. 

For the more general hidden subgroup problem in Abelian groups we would 
have a sequence of applications of ^/(xe.) controlled by one qubit, which is 
measured, then reset to a superposition of | 0) and 1 1) plus some rotation that 
is dependent upon the previous measurements. In summary: 

The hidden subgroup K of a finitely generated Abelian group G generated by 
e!,e2, ■ • .eic, corresponding to a function f from G to a finite set X, can be 
found with probability close to 1 by 'semi-classical' methods with only one con- 
trol bit (or a sequence of flying qubits) and polynomial in n applications of the 
operators \ x) | /(y)) — > | x) \ f(y + xej)) for j = 1, 2, . . . , k, where n is the index 
ofKinG. 
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Appendix: When / is many-to-1 on G/K 



The question of what happens when / is many-to-1 on cosets of K was first 



addressed in |BL|. This is a slight weakening of the promise that / is distinct 
on each coset. Suppose / can have up to m cosets going to the same output, 
for some known m. That is, / = h o g where g is a homomorphism from G to a 
some group H with kernel K, and h is a mapping from H to X that is at most 
m-to-1. If m divides the order of K, we clearly have a problem. For example, 
suppose K is the cyclic group of order 2M, and m = 2, but by changing one 
value of / it would have period M. It can easily be shown that 17(y / M) (that 
is, at least c\fM for some positive constant c) applications of / are necessary 
to distinguish such a modified / from the original one with probability greater 
than 3/4, and thus no polynomial time algorithm, quantum or classical, could 
distinguish the two cases. Thus one requirement for there to exist an efficient 
solution in the worst case is that m is less than the smallest prime factor of \K\, 
the number of elements in K. 

The problem when / is not 1-to-l is the following. Running the same quan- 
tum algorithm will produce the state 



where 



fe=0 



r-1 

I *Jb> = X) exp(-27r»fe*/r) | /(*)> 
t=o 



This is the same definition as in (0) except now the | f(t)) are not necessarily 
distinct. This means the sizes of each of the | ^' k ) are not necessarily the same 
since both destructive and constructive interference can occur. Also, the | ty' k ) 
are no longer orthogonal, and thus some constructive interference could occur 
on the poor estimates of k/r. Recall that even the close estimates of k/r will 
not yield useful results when k = 0. Any other k will at least reveal a small 
factor of r. So we need to guarantee that the probability of observing a close 
enough estimate of k/r for some k ^ is significant. 

By making our estimates precise enough, say by using over 21og 2 r + e/m 2 
control qubits, the estimates of k/r will have error less than l/2r 2 (so that 
continued fractions will work) with probability at least 1 — e/m 2 . Thus assuming 
/ is 1-to-l, the probability of observing a bad output other than would be at 
most e/m 2 , and the probability of observing would be at most 1/r + e/m 2 . 
However, since / is at most m-to-1, these probabilities could amplify by at most 
a factor of m 2 to e and m 2 /r + e respectively. Observing a means we either 
got a bad output, or the period of / is 1. Getting as a bad output is not very 
harmful, however getting another bad output is more complicated, since it will 
give us a false factor of r. It will be useful to make e small, so that it is unlikely 
our answer is tainted by false factors of r. Once we have one factor r% of r, 



we can replace f(x) with f(rix) (as done in [BLQ, which has period r/r% and 
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find a factor of rjr\. Once we have a big enough factor r' of r, we might start 
observing O's, which tells us that the remaining factor of the original r, namely 
r/r', is less than m 2 . Thus we can explicitly test /(/), f(2r'), f(3r'), . . . , until 
we find the period, which will occur after at most m 2 applications. We thus have 
an algorithm with running time, in terms of elementary quantum operations and 
applications of /, polynomial in log(r) and quadratic in m. 

The trick of reducing the order of the function can be applied to reduce the 
size of the group and hidden subgroup in the finite Abelian hidden subgroup 
problem. When G — Z p , we can efficiently test ii K = G or K = {I}. The 
above analysis tells us how to deal with the case that G — Z p i for n > 1. A 
similar technique will reduce G = x • • • Z p i k to a quotient group G and we 
can again proceed inductively until the size of G is less than m 2 . We can then 
exhaustively test G for the hidden subgroup K in another 0(m 2 ) steps. 

We emphasize that this is a worst-case analysis. If there were a noticeable 
difference in the behaviour of a 1-to-l and an m-to-1 function /, m > 1, we 
could decide if a given function h is 1-to-l or many-to-one (by composing h 
with a function / whose period or hidden Abelian subgroup we know, and test 
for this difference in behaviour). Distinguishing 1-to-l functions from many-to-1 
functions seems like a very difficult task in general, and would solve the graph 
automorphism problem, for example. 
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